During our work on the development of the
VBWeb tests, which will be started soon, we
came across an interesting case of an infected website that served
not only the Nuclear exploit kit, but also a fake blue screen of
death (BSOD) that attempted to trick the user into falling for a
support scam.

When a (legitimate) website includes (legitimate)
advertisements, these ads themselves are rarely included in the
HTML code. Rather, the HTML contains some code -- typically
JavaScript -- that loads content from an ad server, which shows the
advertisements in the browser. This means a selection of
advertisements can be shown that are deemed the most interesting to
the particular user, while it also allows advertisers to bid for
"eyeballs".

Malicious websites work in the same way. Indeed, the compromised
website in question (which, unsurprisingly, ran a 2008 version of
WordPress) contained a little bit of obfuscated JavaScript
that inserted an iframe as well as loading another piece of
JavaScript, both from the same server. These are two examples of
traffic distribution systems (TDS), which are the malicious
equivalent of the code used by ad networks to display relevant
ads.

The de-obfuscated JavaScript code added to the compromised
website. (Click the image for a larger version.)

This Throwback Thursday, we turn the clock back to January 1994,
shortly after Cyber Riot had emerged as the first virus capable of
infecting the Windows kernel.

Today, malware that affects the
Windows kernel is ubiquitous - the majority of sophisticated
attacks against
Windows users have at least one component executing in the
operating system kernel. But in 1993, the
Windows kernel remained untouched by malware - and indeed
Windows viruses were somewhat cumbersome and technically
quite simple. That was until Cyber Riot came along.

While previous
Windows viruses had operated fairly simply, Cyber Riot was
the first
Windows-specific virus to remain resident and to intercept
the execute function by infecting KRNL386.EXE. Not only that, but
Cyber Riot used several
Windows functions not documented in any of the Developers'
Kits. Indeed, it can be said that Cyber Riot was one of the first
advanced
Windows viruses.

VB's full analysis of Cyber Riot, from January 1994, can be
read
here in HTML-format, or downloaded
here
as a PDF (no registration or subscription required).

The operating system has been patched, but it is unclear whether
users will receive those patches.

Researchers at mobile security firm
Zimperium have
discovered a remote code execution flaw in the
Stagefright media library used on
Android phones. The vulnerability allegedly means it could,
for instance, take one MMS message for an attacker to run code on a
targeted device. In some cases, if the device is old, this code
could even be run with elevated system privileges.

Few technical details have been made public so far, but
Zimperium's Joshua J. Drake will present the research at the
Black
Hat and
DEF CON security events next week.

A
patch authored by Drake in the
Android-based
CyanogenMod operating system suggests the problem lies in a
failure to check for edge cases. However, while Drake has published
screenshots of him successfully targeting a device running
Android Lollipop 5.1.1, it isn't immediately clear how easy
it would be for an attacker to turn this into a workable exploit
for all, or at least a large portion, of the 950 million vulnerable
devices. In the worst case scenario, the exploit could be turned
into a worm of a size not seen for a very long time.

This Throwback Thursday, we turn the clock back to 1993, when VB
asked the key question: could a virus compromise safety at one of
Britain's nuclear power plants?

2010 saw the discovery of Stuxnet, which targeted industrial
control systems in general, with the specific target of a
particular Iranian nuclear facility -- but 2010 wasn't the first
time
VB had reported on a virus infection at a nuclear
facility.

In 1993, one of the UK's nuclear power plants, Sizewell B, fell
victim to the Yankee virus. As is so often the way with these
things, the media went into overdrive -- the combination of
perceived danger to the public, nuclear power and computer viruses
did, after all, give the story all the required elements to be
highly newsworthy, and much of the portrayal bordered on the
hysterical.

In December 1993,
VB decided it was important to cut through the hype and ask
the key question: could a virus compromise saftey at the plant?
Then-editor of
VB Richard Ford paid a visit to the plant and concluded that
not only did
Nuclear Electric, the company running Britain's nuclear
power plants, take the threat of viruses seriously, but that the
Yankee virus had clearly never threatened the integrity of the
Sizewell B computer systems in any way whatsoever.

Ten speaking slots waiting to be filled with presentations on
'hot' security topics.

There's never a dull moment in the world of IT security. Whether
you think the
breach of spyware maker
Hacking Team is the most important story of the past few
months, that the breach at
Ashley Madison was at least as embarrassing for those
affected, or you feel that the fact that anti-virus companies were
found to be
targeted by a piece of
sophisticated malware as well as by intelligence agencies
directly is a more important story:
it's been an interesting few months.

With all of this in the news, we are all the more glad that,
just as in previous years, we have set aside a portion of the
VB2015 conference
programme for
'last-minute papers': presentations dealing with
up-to-the-minute specialist topics, with the emphasis on
current and
emerging ('hot') topics.

We have now opened the call for papers for these slots. The
deadline for submissions is
3 September 2015, after which the selection committee will
go through the submissions and make the final selection.

Those selected for the last-minute presentations will be
notified by email 18 days prior to the start of the conference. One
complimentary conference place will be allocated to each
last-minute presentation selected. (Where a presentation is
submitted by more than one speaker, one free conference place will
be allocated, and co-speakers (who must be named at the time of
abstract submission) will receive a 50% discount on the conference
registration fee.)